> Portal Navigation:
> 
> - Append `.md` to any URL under `https://dev.wix.com/docs/` to get its markdown version.
> - Pages are either content pages (article or reference text) or menu pages (a list of links to child pages).
> - To get a menu page, truncate any URL to a parent path and append `.md` (e.g. `https://dev.wix.com/docs/sdk.md`, `https://dev.wix.com/docs/sdk/core-modules.md`).
> - Top-level index of all portals: https://dev.wix.com/docs/llms.txt
> - Full concatenated docs: https://dev.wix.com/docs/llms-full.txt

## Resource: Sign In with an Identity Provider Using the REST API

## Article: Sign In with an Identity Provider (IdP)

## Article Link: https://dev.wix.com/docs/go-headless/self-managed-headless/authentication/members/external-identity-provider/sign-in-with-an-identity-provider-using-the-rest-api.md

## Article Content:

# Sign In with an Identity Provider Using the REST API

Let members sign in with an identity provider such as Google or Facebook. You add a login interface, like a **Sign in with Google** button, to your own site whose handler starts the login flow with the provider you choose.

Wix runs the authentication flow, so you don't need to build a login page, manage the provider's OAuth flow, or use an API key. The member simply signs in with their existing account.

## Before you begin

Before starting to code, make sure that you:

- Create a [headless client](https://dev.wix.com/docs/go-headless/self-managed-headless/authentication/oauth/about-oauth-authentication.md) and note its client ID.
- Set your callback URL as an [allowed authorization redirect URI](https://dev.wix.com/docs/go-headless/self-managed-headless/authentication/members/add-allowed-authorization-redirect-uris.md).

## Send members straight to a provider

This is the recommended approach for most sites: the member clicks a provider button in your own UI and goes directly to that provider, with no Wix login page in between.

The flow is the same as a Wix login page, except that you add an `idp` field to the authorization request, set to the provider's connection ID. Use the following connection IDs:

| Provider | Connection ID |
| --- | --- |
| Google | `0e6a50f5-b523-4e29-990d-f37fa2ffdd69` |
| Facebook | `3ecad13f-52c3-483d-911f-31dbcf2a6d23` |

> **Note:** Custom OpenID Connect (OIDC) connections, such as your own single sign-on (SSO) provider, are a premium feature and aren't available to all sites. If your site has it, you'll see **SSO settings** in your dashboard, where you can configure a connection and get its ID. To sign members in through such a connection, set `idp` to that connection's ID. Wix still runs the flow.

### Step 1 | Prepare security data

Before starting the login, prepare the following:

- A **redirect URI** for your callback page. It must be an [allowed authorization redirect URI](https://dev.wix.com/docs/go-headless/self-managed-headless/authentication/members/add-allowed-authorization-redirect-uris.md).
- Your **client ID**, found in your project's [Headless Settings](https://www.wix.com/my-account/site-selector/?buttonText=Select%20Site&title=Select%20a%20Site&autoSelectOnSingleSite=true&actionUrl=https:%2F%2Fwww.wix.com%2Fdashboard%2F%7B%7BmetaSiteId%7D%7D%2Foauth-apps-settings) under **Headless clients**.
- A [PKCE](https://www.oauth.com/oauth2-servers/pkce/authorization-request/) code verifier and code challenge.
- An [OAuth 2.0 state parameter](https://auth0.com/docs/secure/attack-protection/state-parameters).

Store the code verifier, code challenge, and state so they're available on your callback page.

### Step 2 | Create a redirect session

In the handler for your **Sign in with Google** button, call [Create Redirect Session](https://dev.wix.com/docs/api-reference/business-management/headless/redirects/create-redirect-session.md) with the security data, plus an `idp` field set to the provider's connection ID. Authorize the request with the current visitor's [access token](https://dev.wix.com/docs/go-headless/self-managed-headless/authentication/visitors/handle-visitors-using-the-rest-api.md#generate-new-visitor-tokens).

```shell
curl --location 'https://www.wixapis.com/_api/redirects-api/v1/redirect-session' \
--header 'authorization: <VISITOR_ACCESS_TOKEN>' \
--header 'content-type: application/json' \
--data '{
  "auth": {
    "authRequest": {
      "redirectUri": "https://www.mysite.com/callback",
      "clientId": "<CLIENT_ID>",
      "codeChallenge": "<CODE_CHALLENGE>",
      "codeChallengeMethod": "S256",
      "responseMode": "fragment",
      "responseType": "code",
      "scope": "offline_access",
      "state": "<STATE>",
      "idp": "0e6a50f5-b523-4e29-990d-f37fa2ffdd69"
    }
  }
}'
```

The response includes a `fullUrl` that sends the member to the provider.

### Step 3 | Redirect the member to the provider

Redirect the member to the `fullUrl` from the response. Wix sends them straight to the provider's sign-in page. After they authenticate, Wix redirects them back to your redirect URI with `code` and `state` in the URL fragment.

### Step 4 | Retrieve member tokens

On your callback page, confirm the returned `state` matches the value you stored, then exchange the `code` for member tokens by calling [Retrieve Tokens](https://dev.wix.com/docs/api-reference/business-management/headless/authentication/retrieve-tokens.md):

```shell
curl --location 'https://www.wixapis.com/oauth2/token' \
--data '{
  "clientId": "<CLIENT_ID>",
  "grantType": "authorization_code",
  "redirectUri": "https://www.mysite.com/callback",
  "code": "<CODE>",
  "codeVerifier": "<CODE_VERIFIER>"
}'
```

The response includes an `access_token`, a `refresh_token`, and `expires_in`. Use the tokens to make [authenticated API calls](https://dev.wix.com/docs/go-headless/self-managed-headless/authentication/oauth/make-rest-api-calls-using-oauth.md) as the member. To refresh tokens or log the member out, see [Handle Members with a Wix Login Page](https://dev.wix.com/docs/go-headless/self-managed-headless/authentication/members/wix-login-page/wix-login-page-using-the-rest-api.md).

> **Note**: You can also send members to the Wix login page, where each available provider appears as a button alongside email login and members choose how to sign in. To do so, follow the standard [Wix login page flow](https://dev.wix.com/docs/go-headless/self-managed-headless/authentication/members/wix-login-page/wix-login-page-using-the-rest-api.md) without an `idp` field.

## See also

- [Handle Members with a Wix Login Page](https://dev.wix.com/docs/go-headless/self-managed-headless/authentication/members/wix-login-page/wix-login-page-using-the-rest-api.md)